The filename of the attachment was not escaped correctly and I was able to get the Stored XSS triggered. By using the generated report from Google Analytics I could inject script code that was executed on mail.google.com. The XSS is stored just simply reopen the mail anytime you want.

Google Security Team was pretty fast to address this issue and resolved this the next day itself. Google Security team awarded this bug with $5000.